Extensive security gaps persist in DOD networks

Despite countless warnings dating to 1996, the Defense Department's information networks continue to be plagued by serious security flaws and weaknesses that have opened up almost every area of the department to cyberattacks and fraud, according to a new General Accounting Office report.

Released today, GAO's report, "DOD Information Security: Serious Weaknesses Continue to Place Defense Operations at Risk," comes just weeks after deputy secretary of Defense John Hamre officiated over the ribbon-cutting ceremony of the Joint Task Force for Computer Network Defense.

The JTF-CND, which was formed last December, serves as the focal point for DOD to organize the defense of DOD computer networks and systems. When cyberattacks are detected, the JTF-CND is responsible for directing departmentwide defenses to stop or contain damage and restore DOD network functions operations.

The GAO report follows up on more than two dozen reports issued since 1996 that have outlined serious security flaws throughout DOD. "DOD has made limited progress in correcting general control weakness we reported in 1996," GAO concluded. "As a result, these weaknesses persist across every area of general controls."

Security gaps identified in the report include weaknesses in access controls, software development and unauthorized roles and responsibilities for users.

According to the report, support personnel working with an unidentified DOD system were able to alter system audit logs, which record all system activity and are a critical tool in identifying fraud and unauthorized access.

"We found at every location we visited that there was inadequate periodic review of user access privileges to ensure those privileges continued to be appropriate," the report stated. In one case, access authorizations for more than 20,000 users were not documented, according to the report.

In addition, GAO found that application programmers, including outside contractors, "had direct access to production resources, increasing the risk that unauthorized changes to production programs and data could be made and not detected."

On one system, 74 user accounts had privileges enabling them to change program source code without supervisory oversight, the report stated.

Speaking to reporters at the task force ribbon-cutting ceremony, Mike Dorsey, a special agent with the Naval Criminal Investigative Service who is working directly with the JTF-CND to investigate computer crimes against DOD networks, said unauthorized attempts to access DOD systems are on the rise but that DOD does not have the resources to respond to every incident.

A spokeswoman for DOD said the department is addressing all the issues contained in the report. "We know the department has its work cut out. But we are aggressively pursuing initiatives through a 'defense in depth' strategy," the DOD spokeswoman said. "These changes won't happen overnight, but we are moving ahead as quickly as our resource processes will allow."